WebOS SMS vulnerability detailed

The WebOS platform is host to some pretty serious security flaws according to Intrepidus Group's researchers.

Palm's WebOS platform - the software behind the Palm Pre smartphone, among others - has a rather nasty bug in it which can lead to remote exploitation via SMS.

According to a post on ZDNet's Zero Day blog, the flaw - discovered by security firm Intrepidus Group - stems from the inability of the SMS client within WebOS to perform input validation on received text messages. As a result, the team found "a rudimentary HTML injection bug [that] leads directly to injecting code into a WebOS application" - something Intrepidus describes as "quite dangerous," allowing a single SMS to bring the system to its knees.

It's a pretty serious flaw, made worse by the simplicity of the injection mechanism - one simple text message is enough to bring the system to its knees, or send the user to a malicious website to quietly download a Trojan or other malware.

Sadly, a fix could take a while: the company blames the simplicity - and seriousness - of the hack on the very nature of the WebOS platform itself. Claiming that "these bugs can all be traced back to the fact that WebOS is essentially a web browser and the applications are written in JavaScript and HTML," the researchers behind the attack believe that Palm - which is allegedly trying to find a buyer - should have caught the issue in early testing. The fact that current handsets in the wild suffer from such a simple flaw shows, the team claims, that Palm "put almost no thought into security during [its] development of WebOS."

The team has posted a video demonstrating the scope of the vulnerabilities - and thus far Palm hasn't provided a comment as to when the issues raised by Intrepidus might be resolved.

Are you shocked to find such a simple flaw in a supposedly mature, commercially-available mobile platform, or is Intrepidus being more than a little harsh on Palm? Would knowledge of this attack put you off making your next smartphone a WebOS device, or does the platform have bigger issues? Share your thoughts over in the forum.